This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
Q: Can we start the annual assessment early?
A: Yes, you can start your annual assessment early as long as you submit your package before the anniversary date of your Provisional Authority to Operate (P-ATO). However, you should work with your Authorizing Official to determine that the schedule is appropriate.
Cloud Service Providers (CSPs)
Q: Are there any additional requirements for a Significant Change involving changing a scanning tool?
A: In order to change vulnerability scanning tools, you must develop a plan for the transition. The vulnerabilities that are identified in your current scanner must be addressed via the Plan of Action and Milestones (PO&AM) process.
Vulnerability scans are often used to show closure of vulnerabilities. If the current scanner is removed, the current vulnerabilities must still be tracked (and evidence of closure should be provided). Many CSPs operate their current scanner in limited capacity (performing targeted scans) in parallel with their new scanner until the existing vulnerabilities are remediated or appropriately mapped to the new scanner. This is will clear the existing vulnerabilities from the old scanner and determine that the new scanner can deliver similar scan results.
More Information
Read more about this week’s FedRAMP’s Tip and cues here